A common request when building INTRANET web applications is to have users use only one common shared set of login credentials. Typically in most small and medium businesses this means that logging into a Windows Server of some kind to access the network. Windows Servers use Active Directory (AD) ,which is basically Microsoft’s glorified LDAP server with a slew of additional features needed for coroporate and enterprise users. We can leverage this by using PHP’s LDAP module to perform the login check for us..

IF you’re building your application in PHP a very easy way to do this is simply to use PHPs LDAP library and then simply call with the proper functions. Let’s detail the steps below. I’ll be doing this from a PHP 5 , Debian installation.

LDAP tends to be tied into the Windows AD Domain Name System to allow integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a distinct set of rules (RFC’s).

First we need to verify which Windows Active directory we will be authenticating against. If your in a very large corporate environment, you may need the help of an SA (System administrator) to help guide you. Basically, the first thing you need is to know is the Domain which this users is associated with.

Essetially you need to figure out with the LDAP Connection URL is , and this requires a bit more information about how the Windows Network is configured, Typically its something like ,

CN=Users,DC=corp,DC=domain,DC=local

then you wold combine this with the URL of the Windows AD server

LDAP://dc1.corp.domain.com/
or
LDAP://10.0.1.3/

To query for a particular user. If you have accesss to the Windows Server form the command line run.

The above information is necessary so you can fill in the details of the PHP script below.

Step 2. Verify PHP LDAP Library installed and enabled.

You can do this by running a simple viewing the PHP info to see which loaded modules are currently available on your server.

Create a simple PHP file on your web server , call it test.php or something like that. When you run it it will display all the information that PHP /Apache has configured.

<?php
phpinfo();
?>

Run that file from your browser http://localhost/test.php and search for an entry like LDAP (Typically midway down the page between JSON and LIBXML ), if you see something like the screen below.

PHP info showing LDAP module is enabled.

If you do not see this enabled, then you may want to have it added to your PHP/Apache server . The simplest way if you have a typical Debian Linux access to your server’s shell is to run the command. For other flavors of Linux like Redhat/Centos a similar yum command should be available.

sudo apt-get install php5-ldap

or for PHP 7

sudo apt-get install php-ldap

The command should install the necessary library and restart the server, once again re-test that it’s enabled by running the above test.php and confirming the LDAP module is correctly loaded.

Step 3. Test PHP Login against Windows AD

Finally Upload this test LDAP script to your server and save it as ldap.php (or similar name) which does the follow…

Security Considerations:

By default, LDAP traffic is transmitted unsecured; this may or may not be a concern in an Intranet setting, for maximum safety use SSL technology to encrypt the traffic. Also most Windows Server AD will LOCK the account after n unsuccessful re-tries so be aware of this when testing your PHP login script.

Hopefully this will provide an easy way to integrate your PHP scripts with your INTRANET servers, making it easier to keep manage user accounts and access from one spot.